Package org.opencms.util

Class CmsParameterEscaper

  • public class CmsParameterEscaper
extends java.lang.Object
    This class is responsible for automatically escaping parameters in Flex requests. It keeps track of which parameters to escape (or not escape), and which parameters need to be processed by AntiSamy.

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.lang.String DEFAULT_POLICY
      The file name of the default policy.
      protected static org.owasp.validator.html.Policy defaultPolicy
      The default policy, which is used when no policy path is given.

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      org.owasp.validator.html.AntiSamy createAntiSamy​(CmsObject cms, java.lang.String policyPath)
      Creates a new AntiSamy instance for a given policy path.
      void enableAntiSamy​(CmsObject cms, java.lang.String policyPath, java.util.Set<java.lang.String> params)
      Enables the AntiSamy HTML cleaning for some parameters.
      java.lang.String escape​(java.lang.String name, java.lang.String value)
      Escapes a single parameter value.
      java.lang.String[] escape​(java.lang.String name, java.lang.String[] values)
      Escapes an array of parameter values.
      protected java.lang.String escapeSimple​(java.lang.String name, java.lang.String value)
      Default escape function that doesn't do HTML filtering.
      java.lang.String filterAntiSamy​(java.lang.String name, java.lang.String html)
      Filters HTML input using the internal AntiSamy instance.
      static org.owasp.validator.html.Policy readPolicy​(CmsObject cms, java.lang.String sitePath)
      Helper method for reading an AntiSamy policy file from the VFS.
      void setDummyValue​(java.lang.String dummyValue)
      Sets the dummy value.
      void setEscapeInvalid​(java.util.Collection<java.lang.String> escapeInvalidList)
      Sets the parameters which should be escaped even if the dummy value is set.
      void setExceptions​(java.util.Collection<java.lang.String> exceptions)
      Sets the set of names of parameters which shouldn't be escaped.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • defaultPolicy

        protected static org.owasp.validator.html.Policy defaultPolicy
        The default policy, which is used when no policy path is given.

    • Method Detail

      • readPolicy

        public static org.owasp.validator.html.Policy readPolicy​(CmsObject cms,
                                                         java.lang.String sitePath)
        Helper method for reading an AntiSamy policy file from the VFS.

        Parameters:
        cms - the current CMS context
        sitePath - the site path of the policy file
        Returns:
        the policy object for the given path

      • createAntiSamy

        public org.owasp.validator.html.AntiSamy createAntiSamy​(CmsObject cms,
                                                        java.lang.String policyPath)
        Creates a new AntiSamy instance for a given policy path.

        Parameters:
        cms - the current CMS context
        policyPath - the policy site path
        Returns:
        the new AntiSamy instance

      • enableAntiSamy

        public void enableAntiSamy​(CmsObject cms,
                           java.lang.String policyPath,
                           java.util.Set<java.lang.String> params)
        Enables the AntiSamy HTML cleaning for some parameters.

        Parameters:
        cms - the current CMS context
        policyPath - the policy site path in the VFS
        params - the parameters for which HTML cleaning should be enabled

      • escape

        public java.lang.String escape​(java.lang.String name,
                               java.lang.String value)
        Escapes a single parameter value.

        Parameters:
        name - the name of the parameter
        value - the value of the parameter
        Returns:
        the escaped parameter value

      • escape

        public java.lang.String[] escape​(java.lang.String name,
                                 java.lang.String[] values)
        Escapes an array of parameter values.

        Parameters:
        name - the parameter name
        values - the parameter values
        Returns:
        the escaped parameter values

      • filterAntiSamy

        public java.lang.String filterAntiSamy​(java.lang.String name,
                                       java.lang.String html)
        Filters HTML input using the internal AntiSamy instance.

        Parameters:
        name - the parameter name
        html - the HTML to filter
        Returns:
        the filtered HTML

      • setDummyValue

        public void setDummyValue​(java.lang.String dummyValue)
        Sets the dummy value.

        If the dummy value is set, then values which would otherwise be XML-escaped will be replaced with the dummy value instead.

        Parameters:
        dummyValue - the new value

      • setEscapeInvalid

        public void setEscapeInvalid​(java.util.Collection<java.lang.String> escapeInvalidList)
        Sets the parameters which should be escaped even if the dummy value is set.
        Parameters:
        escapeInvalidList - the collection of parameters which should be escaped even if the dummy value is set

      • setExceptions

        public void setExceptions​(java.util.Collection<java.lang.String> exceptions)
        Sets the set of names of parameters which shouldn't be escaped.

        Parameters:
        exceptions - a set of parameter names

      • escapeSimple

        protected java.lang.String escapeSimple​(java.lang.String name,
                                        java.lang.String value)
        Default escape function that doesn't do HTML filtering.
        Parameters:
        name - the parameter name
        value - the parameter value
        Returns:
        the escaped value